yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1191050] Re: HTTP Strict Transport Security not enabled on Horizon Dashboard

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Robert Clark <1191050@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Sep 2013 17:39:18 -0000
Reply-to: Bug 1191050 <1191050@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Posted to ML 19-9-13

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1191050

Title:
  HTTP Strict Transport Security not enabled on Horizon Dashboard

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Versions:         2012.2

  The Horizon Dashboard does not enable HTTP Strict Transport
  Security.  As a result, browsers can be tricked into making HTTP
  connections even if all connections to Horizon should be
  protected via TLS.  Therefore, web sessions are susceptible to
  MitM attacks such as cookie/session stealing.

  HTTP Strict Transport Security (HSTS) is a mechanism through which web
  hosts can instruct browsers to only connect over SSL/TLS for future
  connections. It helps prevent Man-in-the-Middle (MitM) attacks that
  attempt to trick victims' browsers into dropping out of SSL/TLS. HSTS
  can also help mitigate other weaknesses such as web applications which
  omit the secure flag when setting session cookies. HSTS is currently
  implemented in Firefox and Chrome, but will ideally be included in
  other popular browsers as well.

  For more information see
  https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191050/+subscriptions